Researchers from an app security firm have made a rather worrying discovery about how encrypted certain parts of the dating app Tinder are.
The Tel Aviv-based firm Checkmarx discovered that if they were on the same WiFi network as someone using the app they could not only watch their swipes in real-time but could even inject their own images into that person’s app.
The team found that the loophole worked on both the iOS and Android versions of the app and could be used by a hacker to inject false images, post inappropriate content or use it for blackmail purposes.
The team were able to do all this because photos in Tinder lack one of the most basic forms of encryption known as HTTPS.
If you’re wondering just how widespread HTTPS encryption really is then look up at the web address of most websites and you’ll see the letters at the beginning of their site address.
Interestingly, Tinder does encrypt many other parts of the app, but by not encrypting the photos they’ve opened up an exploit that allows hackers to see who you’re swiping.
In a statement to HuffPost UK, a Tinder spokesperson said:
“We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would be hackers.”
While the researchers acknowledge the loophole as being “disturbing”, they also ask an important question which is that with hacking of this kind becoming so widespread what would it take for us to leave these services altogether.
“Where do we, as users, draw the line? Is it at the smallest compromise of our privacy or do we shrug it off until sensitive data is stolen?” asks Dafna Zahger, the product marketing manager at Checkmarx.
The vulnerability is clearly a problem, but for most of us the chances of a) a hacker being on the same WiFi network as us and then b) looking to exploit how we use Tinder are small.
That being said it also raises the question that even if there isn’t someone looking to exploit this are we still happy to carry on using the app knowing our activity on it is easily viewable.